Too many levels of symlinks for /var/tmp (clamav shows this)

[Richard G]

Oke here is what's happening, never seen this before.
On the Centos 7 servers, just like on the Alma 8 server, clamav was changed from custombuild to OS version, working fine.

However, now I get a problem mail from cron from 1 server, but it's happening on all servers.

From Cron <root@server> /usr/share/clamav/freshclam-sleep > /dev/null

ERROR: Can't download rfxn.ndb from http://www.rfxn.com/downloads/rfxn.ndb
ERROR: Database update process failed: HTTP GET failed
ERROR: Update failed.
systemd-tmpfiles: failed to open directory /var/tmp: too many levels of symbolic links

and

ERROR: Download failed (56) ERROR: Message: Failure when receiving data from the peer
ERROR: Can't download interserver256.hdb from http://sigs.interserver.net/interserver256.hdb
ERROR: Database update process failed: Connection failed
ERROR: Update failed.

However, when looking in the maldetect and clamav directory's, these files (the .ndb and .hdb files) have the current date, so they are updated.
Still cron gives an error on 1 server.

So I don't know which log I checked, but I discovered this on both servers which is also mentioned in the first cron output.

systemd-tmpfiles: failed to open directory /var/tmp: too many levels of symbolic links

I've searched and this seems a bug or issue, but I can't find a fix for it, other then removing the symlink from /var/tmp to /tmp which we do for many years to prevent malware execution in the /tmp directory's.

Never had issues with this, untill the clamav change as far as I can see.

Now when I issue the service clamav-freshclam status command on any server, this will appear as last:

Jan 10 13:40:23 server.mycompany.com freshclam[1225]: Trying again in 5 secs...
Jan 10 13:40:29 server.mycompany.com freshclam[1225]: WARNING: downloadFile: file not found: http://www.rfxn.com/downloads/rfxn.ndb
Jan 10 13:40:29 server.mycompany.com freshclam[1225]: WARNING: Can't download rfxn.ndb from http://www.rfxn.com/downloads/rfxn.ndb
Jan 10 13:40:29 server.mycompany.com freshclam[1225]: Trying again in 5 secs...
Jan 10 13:40:34 server.mycompany.com freshclam[1225]: WARNING: downloadFile: file not found: http://www.rfxn.com/downloads/rfxn.ndb
Jan 10 13:40:34 server.mycompany.com freshclam[1225]: ERROR: Can't download rfxn.ndb from http://www.rfxn.com/downloads/rfxn.ndb
Jan 10 13:40:34 server.mycompany.com freshclam[1225]: Update failed for custom database URL: http://www.rfxn.com/downloads/rfxn.ndb
Jan 10 13:40:34 server.mycompany.com freshclam[1225]: WARNING: fc_download_url_databases: fc_download_url_database failed: HTTP GET failed (11)
Jan 10 13:40:34 server.mycompany.com freshclam[1225]: ERROR: Database update process failed: HTTP GET failed
Jan 10 13:40:34 server.mycompany.com freshclam[1225]: ERROR: Update failed.

However, this is very odd:

WARNING: downloadFile: file not found: http://www.rfxn.com/downloads/rfxn.ndb

Why a "file not found" when I can use the exact same url using wget and the file will be downloaded just fine.
Why only 1 server sending cron failure e-mails about this, since all servers have the same cron and root's alias is the same on all?

And as said.. all the servers have the same issue with this update. Nothing else reports this /var/tmp error.

Anything which can be done to fix it, if possible without removing the /var/tmp symlink?

 

[Richard G]

Nobody any clue to a fix?

 

[Hostmavi]

Hi Richard;

try this may be you can find more info

edit /usr/local/directadmin/data/admin/services.status
clamav-freshclamd=ON to OFF

run service clamav-freshclam stop

take backup from /var/lib/clamav

remove all files .cvd .hdb .ndb in /var/lib/clamav


run command freshclam -v
check the out put on the screen maybe you can find more info

dont run the command freshclam -v more than once an hour ClamAV Content Delivery Network can block your ip

goodluck !

 

[Richard G]

Hello Hostmavi.

Thank you for trying to help. It's a very odd issue.

I did some more investigation, and it happens on all servers it seems. Problem caused by the crontab in /etc/cron.d which calles the freshclam-sleep after the update. And this cron is generating the error.

I just did even better. Completely uninstalled clamav and backup my configs. Then installed clamav again via custombuild as this uses the OS version anyway now.
Then I have all directory's again. I overwritten both freshclam.conf and scan.conf with my backups and restarted the services.

Not a single error to be seen.

For some reason, the .hdb and .ndb and .cvd files are place in /usr/share/clamav too, that is where freshclam-sleep is present, these files should not be there.

And also the files are present here:

/usr/local/maldetect/sigs/rfxn.hdb
/usr/local/maldetect/sigs.old/rfxn.hdb
/usr/share/clamav/rfxn.hdb
/var/lib/clamav/rfxn.hdb

All are up to date. I let freshclam update 4 times a day in freshclam.conf so that should not cause blocking issues. Also when I was blocked, the files wouldn't be up to date, and they are.

It seems the crontab which calls freshclam-sleep is called every 3 hours.

However I also installed maldetect and there I see some error which might be related with one of the errors:
systemd-tmpfiles: failed to open directory /var/tmp: too many levels of symbolic links
this one I quoted in my first message.

Now looking at /usr/local/maldetect/sigs I got some blinking stuff.

lrwxrwxrwx  1 root root   47 2023-01-14 08:34 lmd.user.hdb -> /usr/local/maldetect/tmp/.runtime.user.2097.hdb
lrwxrwxrwx  1 root root   47 2023-01-14 08:34 lmd.user.ndb -> /usr/local/maldetect/tmp/.runtime.user.2097.ndb

Those .runtime.user.xxx files are missing in that temp directory, but if I remove the symlinks, they just get created again. But I don't know if this has anything to do with the odd clamav issue.

On another server (where I did no fresh clamav installation) I just change the checks from the default 24 to 4, I thought I had done that, but seems I forgot to save.

On restarting clamav-freshclam service there, this is first part of the output:

Jan 15 00:34:02 server.mycompany.com freshclam[28774]: < Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=BdeD...604800}
Jan 15 00:34:02 server.mycompany.com freshclam[28774]: < NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Jan 15 00:34:02 server.mycompany.com freshclam[28774]: < Server: cloudflare
Jan 15 00:34:02 server.mycompany.com freshclam[28774]: < CF-RAY: 789a2e1a5ca2c30a-VIE
Jan 15 00:34:02 server.mycompany.com freshclam[28774]: < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

I don't know where this cloudflare stuff is coming from, we're not using cloudflare, so maybe that's something from the config?

 

[Hostmavi]

Hi Richard;

systemd-tmpfiles: failed to open directory /var/tmp: too many levels of symbolic links

could you pls test this command. see if you have Recursive Symbolic links

find -L /var > /dev/null

You should have out put like this .
find: File system loop detected; ‘/var/www/build/build’ is part of the same file system loop as ‘/var/www/build’.
maybe you have Recursive Symbolic links for /var/tmp

For some reason, the .hdb and .ndb and .cvd files are place in /usr/share/clamav too, that is where freshclam-sleep is present, these files should not be there.

pls check /etc/freschclam.conf this lines remove the lines if you have ther or use #

DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.ndb
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.hdb

lrwxrwxrwx  1 root root   47 2023-01-14 08:34 lmd.user.hdb -> /usr/local/maldetect/tmp/.runtime.user.2097.hdb
lrwxrwxrwx  1 root root   47 2023-01-14 08:34 lmd.user.ndb -> /usr/local/maldetect/tmp/.runtime.user.2097.ndb

this symlinks is okey. if maldet started to scan symlinks will works.

Those .runtime.user.xxx files are missing in that temp directory

first check /usr/local/maldetect/tmp you will see it is empty
and /usr/local/maldetect/sigs/lmd.user.hdb and /usr/local/maldetect/sigs/lmd.user.hdb symlink not working.
run command maldet -a

if maldet started to scan
check again /usr/local/maldetect/sigs and /usr/local/maldetect/tmp
/usr/local/maldetect/tmp.runtime.user.xxx only ther if maldet scaning
after scaning ends /usr/local/maldetect/tmp will be empty again.

I don't know where this cloudflare stuff is coming from, we're not using cloudflare, so maybe that's something from the config?

this is also okey. rfxn.com using cloudflare.

i hope this helps

 

[Richard G]

After reinstalling clamav I now only get this error from the same crontab:

ERROR: Problem with internal logger (UpdateLogFile = /var/log/freshclam.log).
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!

Maybe that is because I enabled the log in freshclam.conf, however the log is working.
Same for the other server, after changing the checks to 4 there too and enabling the log.

find -L /var > /dev/null

That gives this output:

find: File system loop detected; ‘/var/www/build/build’ is part of the same file system loop as ‘/var/www/build’.

I did symlink /var/tmp to /tmp and protected /tmp (but used chmod 1777) to protect it to write malicious scripts by users. I've already used that for years but never had issues with it. Also on this server it's running like that since 2019 without problem. I didn't change anything lately.

pls check /etc/freschclam.conf this lines remove the lines if you have ther or use #

If I remove or comment that, the database files won't be downloaded anymore or which program will download them? As this is the only place I used these custom sigs as far as I know.

first check /usr/local/maldetect/tmp you will see it is empty

No it contains these files on 1 server.

drwx------  2 root root 4.0K 2022-12-12 06:29 .sigup.24420.10441
drwx------  2 root root 4.0K 2022-09-09 08:29 .sigup.30346.12156
drwx------  2 root root 4.0K 2022-02-20 07:29 .sigup.31424.4043
drwx------  2 root root 4.0K 2022-10-23 08:31 .sigup.5449.32564
drwx------  2 root root 4.0K 2022-04-27 08:28 .sigup.578.25058

However, on the other server it's empty indeed. So I presume I can safely remove these files on the first one.

Except for that libfreshclam init failed, things seem to work now on every server.

Sun Jan 15 09:14:12 2023 -> Current working dir is /var/lib/clamav/
Sun Jan 15 09:14:12 2023 -> Retrieving http://www.rfxn.com/downloads/rfxn.hdb
Sun Jan 15 09:14:12 2023 -> downloadFile: Download source:      http://www.rfxn.com/downloads/rfxn.hdb
Sun Jan 15 09:14:12 2023 -> downloadFile: Download destination: /var/lib/clamav/tmp.3223b664ea/clamav-cb60be73fd3df0856150a84fc18263bb.tmp
Sun Jan 15 09:14:12 2023 -> rfxn.hdb is up-to-date (version: custom database)
Sun Jan 15 09:14:12 2023 -> fc_download_url_database: rfxn.hdb already up-to-date.
Sun Jan 15 09:14:12 2023 -> Current working dir is /var/lib/clamav/
Sun Jan 15 09:14:12 2023 -> Retrieving http://www.rfxn.com/downloads/rfxn.yara
Sun Jan 15 09:14:12 2023 -> downloadFile: Download source:      http://www.rfxn.com/downloads/rfxn.yara
Sun Jan 15 09:14:12 2023 -> downloadFile: Download destination: /var/lib/clamav/tmp.3223b664ea/clamav-fe04fdf757955d296618a9041d87bbe3.tmp
Sun Jan 15 09:14:12 2023 -> rfxn.yara is up-to-date (version: custom database)
Sun Jan 15 09:14:12 2023 -> fc_download_url_database: rfxn.yara already up-to-date.

At 03:14 this night, it gave the same WARNING: fc_download_url_databases: fc_download_url_database failed: HTTP GET failed (11) notice, but now at 09:14 it seemed to have worked correctly.

Odd thing is, the rfxn.hdb etc. files are the only ones also present in /usr/share/clamav where the freshclam-sleep binary is present. While the other custom sigs (interserver) are only in /var/lib/clamav where the .hdb etc files are also present like they should be.

I don't know why the .hdb files are also getting into /usr/share/clamav unless maybe maldetect puts them there.
Also in /var/lib/clamv, the owner is different between the sigs, don't know if that matters.

The /var/lib/clamav content

-rw-r--r--   1 clamupdate clamupdate 287K 2021-04-08 12:32 bytecode.cvd
-rw-r--r--   1 clamupdate clamupdate 183M 2023-01-14 09:58 daily.cld
-rw-r--r--   1 clamupdate clamupdate   69 2022-12-09 00:44 freshclam.dat
-rw-r--r--   1 clamupdate clamupdate 3.3M 2022-09-13 17:59 interserver256.hdb
-rw-r--r--   1 clamupdate clamupdate 121K 2022-09-13 18:00 interservertopline.db
-rw-r--r--   1 clamupdate clamupdate 163M 2021-09-22 16:01 main.cvd
-rw-r--r--   1 root       root       853K 2023-01-15 03:27 rfxn.hdb
-rw-r--r--   1 root       root       444K 2023-01-15 03:27 rfxn.ndb
-rw-r--r--   1 root       root       401K 2023-01-15 03:27 rfxn.yara
-rw-r--r--   1 clamupdate clamupdate  16K 2022-12-09 00:48 shell.ldb
-rw-r--r--   1 clamupdate clamupdate 171K 2022-12-09 00:48 whitelist.fp

If freshclam updates interserver256, why does that have clamupdate as owner and the rfxn files are root? Shouldn't they all be clamupdate as owner then?

 

[Hostmavi]

ERROR: Problem with internal logger (UpdateLogFile = /var/log/freshclam.log).
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!

this can be also freshclam.log owner issue

rw-r--r--   1 clamupdate clamupdate 287K 2021-04-08 12:32 bytecode.cvd
-rw-r--r--   1 clamupdate clamupdate 183M 2023-01-14 09:58 daily.cld
-rw-r--r--   1 clamupdate clamupdate   69 2022-12-09 00:44 freshclam.dat
-rw-r--r--   1 clamupdate clamupdate 3.3M 2022-09-13 17:59 interserver256.hdb
-rw-r--r--   1 clamupdate clamupdate 121K 2022-09-13 18:00 interservertopline.db
-rw-r--r--   1 clamupdate clamupdate 163M 2021-09-22 16:01 main.cvd

this files from clamav

-rw-r--r--   1 root       root       853K 2023-01-15 03:27 rfxn.hdb
-rw-r--r--   1 root       root       444K 2023-01-15 03:27 rfxn.ndb
-rw-r--r--   1 root       root       401K 2023-01-15 03:27 rfxn.yara

this files from maldet . this can be you set in usr/local/maldetect/conf.maldet
scan_clamscan="1"
befor maldate start scaning whit clamav. maldet will bulding signatures in /var/lib/clamav

drwx------  2 root root 4.0K 2022-12-12 06:29 .sigup.24420.10441
drwx------  2 root root 4.0K 2022-09-09 08:29 .sigup.30346.12156
drwx------  2 root root 4.0K 2022-02-20 07:29 .sigup.31424.4043
drwx------  2 root root 4.0K 2022-10-23 08:31 .sigup.5449.32564
drwx------  2 root root 4.0K 2022-04-27 08:28 .sigup.578.25058

this files i don't know what they are and why they are in /usr/local/maldetect/tmp

find: File system loop detected; ‘/var/www/build/build’ is part of the same file system loop as ‘/var/www/build’.

this is okey you dont have Recursive Symbolic links for the /var/tmp

 

[Richard G]

this can be also freshclam.log owner issue

Looks good to me, unless it should be something else?
-rw-rw-r-- 1 clamupdate clamupdate 20K 2023-01-15 16:21 freshclam.log
Looks correct to me. However, I disabled the freshclam.log option and put on the syslog options and now the errors is gone.

this files i don't know what they are and why they are in /usr/local/maldetect/tmp

That were all directory's. No clue why, maybe old leftovers. I removed them all now. Seems fine.

this files from maldet .

No they are all from Clamav. I've been checking and had also the error once about not receiving the files from the interserver256.hdb files.

I put them all in the /etc/freshclam.conf file myself several years ago.

DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.ndb
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.hdb
DatabaseCustomURL http://www.rfxn.com/downloads/rfxn.yara
DatabaseCustomURL http://sigs.interserver.net/interserver256.hdb
DatabaseCustomURL http://sigs.interserver.net/interservertopline.db
DatabaseCustomURL http://sigs.interserver.net/shell.ldb
DatabaseCustomURL http://sigs.interserver.net/whitelist.fp

So they are all updated by freshclam. Only odd that interserver sigs are present with clamupdate owner and rfxn are with root owner.
Alsot he case with the now working server. Only the Almalinux 8 server has them all with clamupdate owner.

However on one C7 server and the Alma 8 server it's going well... the interserver only got updated this morning but does not give any errors further on.

It seems only 1 Centos 7 server has an issue still by not being able to download the rfxn databases. So I disabled those now as you suggested and will try in a couple of days to see if it will work again then. Maybe it's indeed blocked. However, with wget I don't have any issues downloading them. If server was blocked, I wouldn't be able to get them via wget either, correct?
So I'm still confused.

 

[Hostmavi]

-rw-r--r--   1 root       root       853K 2023-01-15 03:27 rfxn.hdb
-rw-r--r--   1 root       root       444K 2023-01-15 03:27 rfxn.ndb
-rw-r--r--   1 root       root       401K 2023-01-15 03:27 rfxn.yara

just tested it
in /etc/freshclam.conf i have no DatabaseCustomURL
i set in usr/local/maldetect/conf.maldet scan_clamscan="1"
i let only freshclam.dat in /var/lib/clamav

ls -l /var/lib/clamav
-rw-r--r-- 1 clamupdate clamupdate 69 Jan 15 16:23 freshclam.dat


you can see server ip blocked clamav.net

freshclam[2665]: See https://docs.clamav.net/faq/faq-eol.html for details.
freshclam[2665]: 2. Run FreshClam no more than once an hour to check for updates.
freshclam[2665]: FreshClam should check DNS first to see if an update is needed.
freshclam[2665]: If you have more than 10 hosts on your network attempting to download,
freshclam[2665]: it is recommended that you set up a private mirror on your network using
freshclam[2665]: cvdupdate (https://pypi.org/project/cvdupdate/) to save bandwidth on the
freshclam[2665]: CDN and your own network.
freshclam[2665]: 4. Please do not open a ticket asking for an exemption from the rate limit,
freshclam[2665]: it will not be granted.
freshclam[2665]: WARNING: You are still on cool-down until after: 2023-01-16 01:12:52

so I run
maldet -a
Linux Malware Detect v1.6.4
(C) 2002-2019, R-fx Networks <[email protected]>
(C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(8770): {scan} signatures loaded: 17368 (14531 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(8770): {scan} building file list for , this might take awhile...
maldet(8770): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(8770): {scan} file list completed in 1s, found 50303 files...
maldet(8770): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(8770): {scan} scan of (50303 files) in progress...


ls -l /var/lib/clamav
-rw-r--r-- 1 clamupdate clamupdate 69 Jan 15 16:23 freshclam.dat
-rw-r--r-- 1 root root 872658 Jan 15 20:08 rfxn.hdb
-rw-r--r-- 1 root root 454137 Jan 15 20:08 rfxn.ndb
-rw-r--r-- 1 root root 410441 Jan 15 20:08 rfxn.yara

so i don't have any DatabaseCustomURL in /etc/freshclam.conf
but files agin in /var/lib/clamav.
it can be maldet copying files the from /usr/local/maldetect/sigs to /var/lib/clamav

Best Regards

 

[Richard G]

in /etc/freshclam.conf i have no DatabaseCustomURL

No that is correct, like I said I put those in there myself several years ago and never had issues with it.

i set in usr/local/maldetect/conf.maldet scan_clamscan="1"

I also have that.

ls -l /var/lib/clamav
-rw-r--r-- 1 clamupdate clamupdate 69 Jan 15 16:23 freshclam.dat

Aren't you missing files there then? Because there should be 2 other files present in there.
-rw-r--r-- 1 clamupdate clamupdate 293670 Apr 8 2021 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate 60529725 Jan 15 15:20 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 69 Jan 15 15:20 freshclam.dat

I got those installed automatically when installing clamav. So I presume you have both the .cvd files too.

it can be maldet copying files the from /usr/local/maldetect/sigs to /var/lib/clamav

Aha! Yes you could be right indeed. I will test this on the unwilling server. They don't exist now in /var/lib/clamav, so if they are in there tomorrow we can be sure that Maldet puts them in there, and then they don't need to be in the freshclam.conf.

And your /usr/share/clamav only contains the freshclam-sleep file, nothing else, is that correct?

 

[Remco00]

Hi Richard,

Probably it has nothing to do with your problem, but since the latest CB conversion of ClamAV we also have an issue with Maldet using clamav scanner engine. Would you mind looking at my earlier post and see if you recognize this?

https://forum.directadmin.com/threads/directadmin-v1-645-has-been-released.67373/post-355206

 

[Richard G]

@Hostmavi It seems you are correct. I removed the rfxn files from /var/lib/clamav and /usr/share/clamav and commented the rfxn files with # in freshclam.conf and restarted freshclam.conf.
Today I checked and the rfxn files were again present in /var/lib/clamav and in /usr/share/clamav. So Maldetect puts them there. However I was not 100% sure if I restarted the freshclam service. So I restarted the service today and I expect the files will be back tomorrow.

On the first server it's still working find though with the rfxn files in the freshclam.conf.
I found that tip on this site, and thougt it would come in handy if clamav would use it too. And not only maldetect. But if you maybe know if all database are used which are in /var/lib/clamav inspite of the fact that they were in freshclam or not, then indeed we can remove them from freshclam.conf if maldet is installed too.

As for now I did not encounter the error again yet about the too many symlinks in /tmp.
Thanks!

@Remco00 I had a look at your issue, and thought I did not have this problem. So I checked my logs and it seems it's happening to me too.

Jan 16 03:21:46 server25 maldet(6081): {scan} file list completed in 3s, found 2134 files...
Jan 16 03:21:46 server25 maldet(6081): {scan} found clamav binary at /bin/clamdscan, using clamav scanner engine...
Jan 16 03:21:46 server25 maldet(6081): {scan} scan of  (2134 files) in progress...
Jan 16 03:21:51 server25 maldet(6081): {scan} clamscan returned an error, check /usr/local/maldetect/logs/clamscan_log for details!

And in the clamscan_log from maldetect exactly the same result:

Jan 16 03:21:46 server25 clamscan start
Jan 16 03:21:46 server25 executed: /bin/nice -n 19 /bin/ionice -c2 -n 6 /bin/clamdscan --fdpass  --infected --no-summary -f /usr/local/maldetect/tmp/.find.6081
Jan 16 03:21:51 server25 clamscan end return 2
Jan 16 03:21:51 server25 clamscan end

Seems this error is existing for a couple of years, found this on Github, but no solution.

Somewhere else I read it might be a maldet 1.6 issue and the person went back to 1.5 and all was fine.

So in fact we have an even bigger problem.

 

[Remco00]

Indeed we do, but the problem only occurred after the last CB clamav conversion. Until then there was no problem and maldet worked fine with clamav. So there may be something wrong with the clamav configuration. Or maldet needs a config change. For now maldet is temporarily set with scan_clamscan=0.

 

[Richard G]

scan_clamscan=0

Seems the only solution.

but the problem only occurred after the last CB clamav conversion.

I don't know. I didn't get any error messages about it (not happy with that) and don't have any old logs. I don't remember which binary of clamav was used to do the scan before DA stopped the support.
It's a Maldetect bug anyway and as far as I can see already existing since 2016 when first reported on Github. With the OS version of clamav at least.

 

[Hostmavi]

HI Richard

Aren't you missing files there then? Because there should be 2 other files present in there.
-rw-r--r-- 1 clamupdate clamupdate 293670 Apr 8 2021 bytecode.cvd
-rw-r--r-- 1 clamupdate clamupdate 60529725 Jan 15 15:20 daily.cvd
-rw-r--r-- 1 clamupdate clamupdate 69 Jan 15 15:20 freshclam.dat

No i don't missing the files. they war ther . but i deleted them for the testing .

And your /usr/share/clamav only contains the freshclam-sleep file, nothing else, is that correct?

yes only freshclam-sleep file exis ther but
after i run maldet -a for the scaning testing
checked now again. from /usr/local/maldetect/sigs following files

rw-r--r-- 1 root root 872658 Jan 15 20:08 rfxn.hdb
-rw-r--r-- 1 root root 454137 Jan 15 20:08 rfxn.ndb
-rw-r--r-- 1 root root 410441 Jan 15 20:08 rfxn.yara

maldet coping them in var/lib/clamav and in /usr/share/clamad
i checked all files has same same timestamp as in /usr/local/maldetect/sigs

i wanted to remove clamav and reinstall it with custombuild but ther is issue whit it
./build remove_clamav not working will check it .

Best regards.

 

[Hostmavi]

Indeed we do, but the problem only occurred after the last CB clamav conversion. Until then there was no problem and maldet worked fine with clamav. So there may be something wrong with the clamav configuration. Or maldet needs a config change. For now maldet is temporarily set with scan_clamscan=0.

Hi Remco00;
can pls test this if this will fix your issue.
pls set usr/local/maldetect/conf.maldet scan_clamscan="1" again
and set in /etc/clamd/scan.conf
set User root

# Run as another user (clamd must be started by root for this option to work)
# Default: don't drop privileges
User root

like this and restart clamav

hope this helps

 

[Richard G]

i wanted to remove clamav and reinstall it with custombuild but ther is issue whit it
./build remove_clamav not working will check it .

Custombuild now uses the OS version to install, no compile anymore.
So if you just do a yum remove clamav* then clamav will be uninstalled.
I did the same and then manualy removed the /var/lib/clamav and /user/share/clamav directory's and the freshclam.conf.rpmnew (which it changed to).

Ofcourse before all this I copied my freshclam.conf and scan.conf so I could put them back later.

After that I installed via custombuild again as that is using the yum version to install anyway now, so I can't forget anything.

hope this helps

I hope so too.
Did you check your /usr/local/maldetect/logs/clamscan_log and event_log there, did you have not any error?

 

[Richard G]

Oh yes, before uninstalling via yum I stopped both services and disabled them too. I think I removed them from systemd too.

 

[Richard G]

pls set usr/local/maldetect/conf.maldet scan_clamscan="1" again
and set in /etc/clamd/scan.conf
set User root

I tried this on 1 of the servers, and I can confirm this indeed fixes the problem a far as I can see. No error anymore.

Jan 17 03:44:04 server25 maldet(2368): {scan} file list completed in 2s, found 13892 files...
Jan 17 03:44:04 server25 maldet(2368): {scan} found clamav binary at /bin/clamdscan, using clamav scanner engine...
Jan 17 03:44:04 server25 maldet(2368): {scan} scan of  (13892 files) in progress...
Jan 17 03:49:35 server25 maldet(2368): {scan} scan completed on : files 13892, malware hits 0, cleaned hits 0, time 334s
Jan 17 03:49:35 server25 maldet(2368): {scan} scan report saved, to view run: maldet --report 230117-0344.2368

Great, thank you very much @Hostmavi for all your help and your patience with us!

 

[Remco00]

I can confirm running clamd as user root has resolved the issue. Just a little worried about potential security risks like the daemon being exploited. Have to do some more reading about this. But thanks for providing a solution!